Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for CVE-2026-58644.
Upgrade to ProMicrosoft SharePoint Deserialization of Untrusted Data Exploitation (CVE-2026-58644)
Detects exploitation attempts and post-exploitation indicators associated with CVE-2026-58644, a deserialization of untrusted data vulnerability (CWE-502) in Microsoft SharePoint. This vulnerability is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating confirmed active exploitation in the wild. Successful exploitation typically results in remote code execution via crafted serialized payloads submitted to vulnerable SharePoint endpoints (e.g. ViewState, application pages, or REST/SOAP endpoints), often followed by w3wp.exe spawning abnormal child processes, webshell drops into SharePoint application directories, and LSASS/credential access activity.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- Microsoft
- Product
- SharePoint
Weakness (CWE)
Timeline
- Disclosed
- July 16, 2026
References & Proof of Concept
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58644
- https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk
- https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk
- https://nvd.nist.gov/vuln/detail/CVE-2026-58644
What is CVE-2026-58644 Microsoft SharePoint Deserialization of Untrusted Data Exploitation (CVE-2026-58644)?
Microsoft SharePoint Deserialization of Untrusted Data Exploitation (CVE-2026-58644) (CVE-2026-58644) maps to the Initial Access and Execution and Persistence tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for Microsoft SharePoint Deserialization of Untrusted Data Exploitation (CVE-2026-58644), covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Windows Security Events. The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
- Tactic
- Initial Access Execution Persistence
let SuspiciousProcs = dynamic(["cmd.exe","powershell.exe","powershell_ise.exe","cscript.exe","wscript.exe","mshta.exe","certutil.exe","rundll32.exe","regsvr32.exe","net.exe","whoami.exe"]);
DeviceProcessEvents
| where InitiatingProcessFileName =~ "w3wp.exe"
| where FileName in~ (SuspiciousProcs)
| where InitiatingProcessCommandLine has_any ("SharePoint", "MSSharePoint", "SPWebApplication", "w3wp")
| extend PoolHint = extract(@"-ap\s+\"?([A-Za-z0-9_\-]+)\"?", 1, InitiatingProcessCommandLine)
| where PoolHint has "SharePoint" or InitiatingProcessFolderPath has "SharePoint"
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, InitiatingProcessId, ProcessId
| order by TimeGenerated desc Detects anomalous child processes spawned by the SharePoint IIS worker process (w3wp.exe) hosting a SharePoint application pool, consistent with successful deserialization exploitation leading to command execution.
Data Sources
Required Tables
False Positives
- Legitimate SharePoint administrative scripts or scheduled maintenance tasks invoking PowerShell/cmd from the app pool identity
- Third-party SharePoint add-ins or health analyzer rules that shell out to system utilities
- Backup or antivirus agents instrumented into the SharePoint worker process context
Sigma rule & cross-platform mapping
The detection logic for Microsoft SharePoint Deserialization of Untrusted Data Exploitation (CVE-2026-58644) (CVE-2026-58644) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: process_creation
product: windows Browse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2026-58644
References (4)
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58644
- https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk
- https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk
- https://nvd.nist.gov/vuln/detail/CVE-2026-58644
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Suspicious Child Process from w3wp.exe
Expected signal: Sysmon Event ID 1 process creation showing parent process w3wp.exe launching cmd.exe with command line containing 'whoami'.
- Test 2Simulate Webshell Drop in SharePoint Directory
Expected signal: Sysmon Event ID 11 file creation event for test_atomic.aspx under the SharePoint LAYOUTS directory, ideally attributed to w3wp.exe or an interactive PowerShell session.
- Test 3Simulate Encoded PowerShell Execution from IIS Context
Expected signal: Sysmon Event ID 1 showing powershell.exe with -EncodedCommand flag and a parent process context simulating w3wp.exe.
- Test 4Simulate SharePoint ViewState Tampering Request
Expected signal: IIS W3SVC log entry recording the POST request with an oversized/malformed __VIEWSTATE parameter, and a corresponding SharePoint ULS log exception.
Unlock playbooks & atomic tests with Pro
Get the full detection package for CVE-2026-58644 — response playbook and atomic red team tests, plus investigation guidance and hunting queries.
df00tech Pro — £29/user/month